Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy

French CNIL Enforces Cookie Consent

CNIL LogoOn June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies.

After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.

The main finding of these audits was that for the most part, companies do not comply with the law in this area, the two main pitfalls being (i) the lack of comprehensive information and (ii) the fact that cookies are deployed on the user’s equipment before his/her consent has been collected.

In its press release, the CNIL pointed out that even where websites provide a cookie banner, they all automatically deploy cookies on users’ equipment anyhow, without waiting for the user consent. Continue Reading

Posted in International/EU Privacy

Hogan Lovells’ IAPP Tracker Post Explores USA FREEDOM Act: A Step Toward Restoring Trust?

spy-computer-shutterstock_55978777-250The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on June 25. The post, USA FREEDOM Act: A Step Toward Restoring Trust?,  is reprinted in its entirety below with permission from the IAPP.

The enactment of the USA FREEDOM Act was news unto itself. However, the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well. In this post, we summarize some important elements of the legislation and explore the USA FREEDOM Act’s potential to influence more than government surveillance practices.

Continue Reading

Posted in International/EU Privacy

Part 11: Data Protection in the Workplace

02299 EU Data Protection Regulation Blog Image 02TE11Relevance of employee data protection
 for enterprises


Data privacy in an employment context remains
 an important challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance; few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a legitimate expectation of privacy – including at their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several member states, relating to the permissibility of internal investigations and compliance controls.

Modern technology offers advanced technical options
to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are
now the principal limitation in many jurisdictions. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation, and it is expected that this area of data privacy will remain less harmonised than other fields of data protection.

Likely practical impact of the Regulation on employee data protection


For most member states, the Regulation will considerably change the landscape. Even for employers in member states with relatively strict employee data protection requirements, the upcoming data protection regime will create additional challenges.

As a general rule, all of the principles and restrictions of the Regulation also apply in the workplace. For instance, the new right of data portability means there will be a right to portability of data from one employer to another, and data privacy impact assessments may be required in many aspects of work life. Moreover, the severe maximum penalties which can be imposed under the new data protection framework are a strong encouragement for employers to ensure effective data protection for their employees.

Processing employees’ personal data for the performance of the employment contract

Personal data must be processed in a manner which is adequate, relevant and not excessive in relation

to the purposes of the employment relationship for which they are processed. Current Article 6 (1)(b) of
the draft Regulation will be particularly relevant in
an employment context, since it permits the use of personal data to the extent that processing is necessary for the performance of the employment contract between data subject and controller.

However, Article 82 of the Parliament draft also contains extensive additional provisions aimed at protecting
the rights and freedom of employees. In accordance with the provisions of the Regulation and the principle of proportionality, member states may adopt specific rules regulating the processing of personal data in an employment context. Among other things, profiling or the use of employee data for secondary purposes as well as the processing of employee data without their knowledge will be prohibited.

It remains to be seen to what extent these employee- friendly provisions will actually make it into the final version of the Regulation. In any case, it is likely that member states that traditionally have a high degree of employee data privacy will adopt employee-specific
data protection rules. As a consequence, there may be considerable variations in employee data protection and, consequently, a lesser degree of harmonisation between the individual member states.

Processing employees’ personal data for other legitimate purposes


The processing of employee data may be legitimised
by the general provisions of the Regulation. For example, Article 6 (1)(b) permits processing where
this is necessary for the purposes of legitimate
interests pursued by the employer or by a third party. However, this must be balanced against the interests
or fundamental rights and freedoms of the data subject, i.e. the employee. Outside an employment context, this provision may permit the collection and other processing of employee data.

Processing employees’ personal data on the basis of collective agreements


Under Article 82 of the Regulation, member states may allow the processing of personal data to be governed by collective agreements, for example by collective bargaining agreements or works council agreements, which may be entered into between employers and employees’ representatives.

In some countries with strong employee representative rights, like for instance Germany, works council agreements are already a reliable and safe way to govern the use of data in the work place. In member states permitting the use of employee data on the basis of collective agreements, it can be expected that domestic courts will quickly establish rules and standards for permissible collective provisions. However, this would then result in less EU-wide harmonisation regarding data protection in the work place.

Processing personal data on the basis of employee consent


Article 6 (1)(a) of the Regulation provides that processing of personal data for one or more specific purposes may be lawful if the data subject has given unambiguous consent to it. Not surprisingly, such consent must be freely given. In some member states, the question whether and under what circumstances employees can consent to the processing of their personal data has been an ongoing debate for years and the Regulation does not resolve this issue. Therefore, it is unlikely that employee consent will ever be the most robust basis
for the use of that data, and this needs to be factored in when justifying such uses.

What to do now

  • Keep in mind that specific employee data protection rules may be passed by individual member states, which would prevent a high degree of harmonisation in this area.
  • Align HR and data protection functions in order to ensure compliance with the new requirements.
  • Analyse whether your business’ personnel and data protection structures provide the level of transparency required by the new data protection rules.
  • Closely monitor whether member states relevant to your business/workforce implement specific employee data rules.
  • If collective agreements (including works council agreements or collective bargaining agreements) apply to your business: closely analyse any existing agreements and negotiate necessary changes in a timely manner.

This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.

Posted in International/EU Privacy

PART 10: Enforcement and the Risk of Non-Compliance

02299 EU Data Protection Regulation Blog Image 02TE10One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution. Continue Reading

Posted in International/EU Privacy

Part 8: Data Processors’ New Obligations

02299 EU Data Protection Regulation Blog Image 02TE8What’s the deal?

The Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them because:

  • The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers
  • There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities
  • The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive
  • If processors act outside the authority given to them by controllers, they may be deemed a joint controller and therefore held to an even higher standard of accountability.

The new rules are considered in further detail below and will be triggered where:

  • The processor is established in the EU
  • EU law applies to the activities of the controller.

Continue Reading

Posted in International/EU Privacy

Germany: Pay-As-You-Drive-Insurance – First German Data Protection Authority Issues Requirements

shutterstock_203285494 [Converted]-01Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia (Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen – “LDI NRW“) is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance (22nd report (2015) for 2013/14, point 5.1). Continue Reading

Posted in International/EU Privacy

Part 7: The New Accountability Regime

02299 EU Data Protection Regulation Blog Image 02TE7Background of the notion of accountability

Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”.

Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Continue Reading

Posted in International/EU Privacy

Part 6: Profiling Restrictions v. Big Data

02299 EU Data Protection Regulation Blog Image 02TE6A stricter regime for profiling

Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Tackles Cybersecurity in the Smart City

City - Binary - Smart CityAfter the recent release of the discussion draft of its Framework for Cyber-Physical Systems (CPS), the National Institute for Standards and Technology (NIST) has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance (CSRA) and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities. Continue Reading